Arthur Baars
e382d6d000
Ruby: update stats
2023-02-06 10:28:19 +01:00
Arthur Baars
ec46f33a01
Ruby: add change note
2023-02-06 10:17:19 +01:00
Arthur Baars
4af0c4bb03
Ruby: desugar one-line pattern matches
2023-02-06 10:17:19 +01:00
Arthur Baars
edbba85b96
Ruby: add one-line pattern matches to AST
2023-02-06 10:17:18 +01:00
Arthur Baars
e390ca50b0
Ruby: upgrade/downgrade scripts
2023-02-06 10:17:18 +01:00
Arthur Baars
90c51ef404
Ruby: re-generate dbscheme and library
2023-02-06 10:17:18 +01:00
Alex Ford
7768026e70
Merge branch 'main' into js-use-shared-cryptography
2023-02-03 15:18:30 +00:00
Alex Ford
6c35feaa98
ConceptsShared: add a default implementation of BlockMode CryptographicOperation#getBlockMode() for compatibility with external code
2023-02-03 14:39:32 +00:00
Alex Ford
b968b59afc
CryptoAlgorithms: make CryptographicAlgorithm#matchesName hold only if that algorithm is the most specific match
2023-02-03 14:15:32 +00:00
Alvaro Muñoz
3a9d650cb9
add qldocs for member predicates
2023-02-03 10:09:16 +01:00
Alvaro Muñoz
dd31be43e0
Support for Twirp framework
2023-02-03 09:35:22 +01:00
github-actions[bot]
faf21f3edb
Post-release preparation for codeql-cli-2.12.2
2023-02-02 23:01:04 +00:00
Alex Ford
1435ef1862
CryptoAlgorithms: make CryptographicAlgorithm#matchesName split on underscores
2023-02-02 20:30:30 +00:00
Alex Ford
e5dfbe2c8d
ConceptsShared: Add BlockMode#matchesString(string) predicate
2023-02-02 20:27:52 +00:00
Alex Ford
61095b3c58
ConceptsShared: Add deprecated DataFlow::Node CryptographicOperation#getInput() predicate
2023-02-02 20:27:05 +00:00
Anders Schack-Mulligen
67d4ed53b9
Dataflow: Sync.
2023-02-02 16:33:00 +01:00
Jeroen Ketema
3cf5107b45
Apply suggestions from code review
2023-02-02 15:48:29 +01:00
github-actions[bot]
a4fa984792
Release preparation for version 2.12.2
2023-02-02 14:34:55 +00:00
Harry Maclean
da45d3aa7f
Ruby: Fix string comparison barrier guard
...
`strNode` was not properly restricted for some cases.
2023-02-01 14:40:53 +13:00
Harry Maclean
0d68d88741
Merge pull request #11934 from hmac/actioncontroller-filters
2023-02-01 09:10:30 +13:00
Harry Maclean
69ed00cdf1
Ruby: QL4QL fix
2023-01-31 11:06:32 +13:00
erik-krogh
c2e8206090
add more array taint steps that taint the entire array
2023-01-30 21:14:27 +01:00
erik-krogh
962465f77a
add array-taint-steps to unsafe-shell-command-construction
2023-01-30 16:56:03 +01:00
erik-krogh
a4c42aa14b
more custom array steps from unsafe-code-construction to a utility predicate
2023-01-30 16:46:13 +01:00
erik-krogh
e01002368f
add query detecting validators that use badly anchored regular expressions on library/remote input
2023-01-30 16:34:20 +01:00
erik-krogh
f04a9cb523
Merge branch 'main' into rbRegConcept
2023-01-30 11:05:40 +01:00
Harry Maclean
f7cdd430a2
Ruby: Small fix
2023-01-30 21:55:19 +13:00
Harry Maclean
7778524e08
Ruby: Refactor
2023-01-30 21:52:59 +13:00
Harry Maclean
5e9210fcea
Ruby: use getAnAncestor
2023-01-30 21:21:38 +13:00
Harry Maclean
708e303c01
Ruby: Model except: with a const argument
2023-01-30 21:17:31 +13:00
Harry Maclean
28716866d8
Ruby: getAction -> getAnAction
2023-01-30 18:52:47 +13:00
Harry Maclean
246ad46eb1
Ruby: Account for filter skip ordering
...
A `skip_*_filter :foo` call only has an effect if there was an earlier
call that registered `:foo` as a filter.
2023-01-30 18:50:30 +13:00
Harry Maclean
a164e76a5d
Ruby: Model actioncontroller filter overrides
...
If a filter is registered twice with the same name, the last
registration wins.
2023-01-30 18:05:22 +13:00
Harry Maclean
28c3bd3e2f
Ruby: QL4QL fix
2023-01-30 17:41:36 +13:00
Harry Maclean
fb86ef4aac
Ruby: Model ActionController filters
...
ActionController filters provide a way to register callbacks that run
before, after or around an action (i.e. HTTP request handler). They run
in the same class context as the action, so can get/set instance
variables and generally interact with the action in arbitrary ways.
In order to track flow between filters and actions, we have to model the
callback chain. This commit does that. A later change will add dataflow
steps to actually track flow through the chain.
2023-01-30 17:41:36 +13:00
Mathias Vorreiter Pedersen
95b15825f9
DataFlow: Sync identical files.
2023-01-27 16:24:31 +00:00
Harry Maclean
07a7a213b3
Merge pull request #11871 from hmac/rack
2023-01-26 08:40:30 +13:00
Alex Ford
3dd9392f5e
Merge pull request #11869 from alexrford/rails/render_locals_shared
...
Ruby: Rails - generalize rails flow step for accessing render locals hash in view
2023-01-25 12:07:26 +00:00
erik-krogh
80d05c0425
also recognize protected methods as library-input sources
2023-01-24 20:55:25 +01:00
erik-krogh
a017b7500b
Merge branch 'main' into rbPoly
2023-01-24 20:51:36 +01:00
Harry Maclean
224db456af
Ruby: Simplify isRackResponse
2023-01-23 21:53:09 +00:00
Harry Maclean
60f9635ada
Ruby: Move import
2023-01-23 21:51:27 +00:00
Harry Maclean
c1207e0938
Ruby: Fix rack response tracking
...
Use type tracking instead of getReturningNode, which seems to be faster
and works correctly for the cases I've tried.
2023-01-23 21:43:04 +00:00
Erik Krogh Kristensen
240248b9cf
Merge pull request #11453 from erik-krogh/unsafeHtmlConstruction
...
RB: add unsafe-html-construction query
2023-01-23 16:40:25 +01:00
Erik Krogh Kristensen
5be97f3761
Merge pull request #11909 from erik-krogh/concatCode
...
Rb: recognize string concatenations as sinks for unsafe-code-construction
2023-01-23 16:22:46 +01:00
erik-krogh
ae00518ddf
remove the isAdditionalTaintStep predicate from UnsafeHtmlConstructionQuery, as it was not needed
2023-01-23 15:27:19 +01:00
erik-krogh
7c6ee5f293
Merge branch 'main' into unsafeHtmlConstruction
2023-01-23 15:01:01 +01:00
Erik Krogh Kristensen
32c4cf5769
Apply suggestions from code review
...
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com >
2023-01-23 14:58:04 +01:00
erik-krogh
800077dabe
changes based on feedback
2023-01-23 14:54:36 +01:00
Alex Ford
3b10a2de11
Merge branch 'main' into rails/render_locals_shared
2023-01-23 10:00:22 +00:00
